Microsoft is facing renewed scrutiny over its security practices as Tenable CEO Amit Yoran claims the software company has failed to patch a critical Azure vulnerability that his researchers reported in March.
Yoran said the vulnerability allowed researchers to access sensitive information from a bank, however Microsoft is dragging its feet after developing a partial fix that Tenable was later able to bypass.
The new vulnerability is part of a nearly 10-year pattern at Microsoft wherein the company is failing to put the security of its customers first, Yoran claims.
“Microsoft’s lack of transparency applies to breaches, irresponsible security practices and to vulnerabilities, all of which expose their customers to risks they are deliberately kept in the dark about,” Yoran said in a LinkedIn post.
Tenable said the vulnerability in Azure allows an attacker to gain unauthorized but limited access to cross-tenant applications and sensitive data, including authentication secrets.
Tenable immediately notified Microsoft about the vulnerability at the end of March and requested an update in late June. Microsoft notified Tenable on July 6 that the issue was fixed, but Tenable checked the fix and was able to get around it.
“Once authentication access is gained in Azure, there are countless avenues that could be pursued by attackers, and it would look different not only per customer, but per identity,” Robert Huber, CSO and head of research at Tenable, said via email. “The issue for customers is that they have no visibility into the fabric of the [Cloud Solution Provider], so they cannot monitor for exposure or compromises.”
Tenable warned Microsoft that it planned to release an advisory, and says Microsoft requested a delay then inquired about what the advisory would say. Microsoft told Tenable a fix would not be completed until September 28.
Microsoft said the original fix resolved the issue for most customers, but a spokesperson said it appreciates the collaboration with the security community and has now fully resolved the vulnerability.
“We follow an extensive process involving a thorough investigation, update development for all versions of affected products, and compatibility testing among other operating systems and applications,” a Microsoft spokesperson said via email. “Ultimately, developing a security update is a delicate balance between timeliness and quality, while ensuring maximized customer protection with minimized customer disruption.”
The security practices at Microsoft have been a recurring issue with outside researchers, customers and in recent months, government officials.
Microsoft came under fierce criticism last month after the State Department and other government agencies were hacked by suspected state-linked attackers connected to China.
Microsoft agreed to allow free security log features for cloud customers after federal officials, including Sen. Ron Wyden, D-Oregon, raised questions about why customers should have to pay additional fees for essential secure software.
CrowdStrike CEO George Kurtz, a frequent critic of Microsoft, agreed with Yoran’s criticism of Microsoft, saying the company’s practices puts its own customers at risk.
“And when there is a problem with their broken architecture, they blame shift to the victim rather than take responsibility,” Kurtz wrote, citing the federal concerns raised about Microsoft security.
Microsoft has positioned itself as a vanguard company in the information security industry in recent years, fueled by key acquisitions and the ability to provide end-to-end security solutions to customers looking to consolidate multiple vendors.
Tenable raised similar issues related to vulnerabilities in Azure Synapse in 2022.